The devil is in the details How cybercriminals, leakers, - - PowerPoint PPT Presentation
The devil is in the details How cybercriminals, leakers, State-sponsored hackers failed their opsec #NOHAT 2019 - Carola Frediani Opsec and the human factor You can get the tech right and still fail the opsec. Why? undisciplined past
You can get the tech right and still fail the opsec. Why?
Tails or a similar system -> “a sophisticated software tool which runs without being installed on a computer and provides anonymous internet access, leaving no digital footprint on the machine” (indictment)
access to the internet”.
Brokers leaks
A Google search on the Twitter handle and display name found someone using the same name on a personal ad seeking female sex partners. The anonymous ad included a real picture of Martin and identified him as a 6-foot-4-inch 50-year-old male living in Annapolis, Md. A different search led them to a LinkedIn profile for Hal Martin, described as a researcher in Annapolis Junction and "technical advisor and investigator on offensive cyber issues." (source: Politico)
Twitter handle > dating site > his real photo, location, age > Linkedin profile > language clue (CAMBRIC) Also:
associated to his real life
hal999999999 had a display picture matching the motor vehicle administration photo of Martin
name in the digital address and it was linked to
her résumé (source: affidavit)
Slack channel, naming her VPN, that matched Capital One logs of the intruder and GItHub logs
where the alias erratic posted breached data
(erratic)" as organizer
(where she talked of the hack, and had her real life photo)
behind AlphaBay Market
prison
DeepDotWeb: “I am absolutely certain that my opsec is secure, and I live in an
Around December 2014 AlphaBay's operators decided to add a forum to the martketplace. Users who registered on AlphaBay's forum got a greeting message from the site's admin. In December 2016, FBI learned that for a short period in 2014 these greeting emails included the AlphaBay admin's personal email address in the message header. That email address was: "pimp_alex_91@hotmail.com" Image credits: Christy Quinn
header of the AlphaBay forum pwd recovery process (forfeiture complaint)
associated to a LinkedIn account for Alexandre Cazes, born in 1991
Montreal and run a tech company, EBX technologies
Hotmail account
previously used on carding forums. And that was linked to his email and name in a 2008 post on a tech forum
Police caused AlphaBay servers to shutdown, forcing Cazes to access AlphaBay forum/datacenter and try to reboot the servers. (“Law enforcement-caused outage”) Then they tricked Cazes into leaving his laptop by simulating a car accident outside his Thai home. Undercover cops crashed a car through his front gate. Cazes had the passwords for the servers stored in unencrypted text files, and an Excel with all his properties. (Thanks to @Patrick_Shortis for some help on this case)
ALTOID HANDLE -> SILK ROAD ALTOID HANDLE -> ULBRICHT EMAIL I (Images via IPVN.net)
On October 2013, FBI agents decided to arrest Ross Ulbricht because there was a chance to get the laptop unencrypted. In the public library he was working in, a couple (two FBI agents) simulated a fight behind him. And when he turned away the FBI snatched his laptop, a Samsung 700z encrypted with TrueCrypt. He was logged into Silk Road. They found: PGP private keys, the .php files that built Silk Road, spreadsheets, chat logs, a journal. Thettttt
Source: The Grugq
Gal Vallerius aka OxyMonster was a vendor on underground marketplace Dream Market. He was arrested in August 2017 after flying to the US to attend a beard competition. Border guards searched his (unencrypted?) laptop and found his credentials for Dream Market, a PGP private key used by a Dream Market vendor, $500,000 US in bitcoin and a copy of Tor browser. Why was he a suspect?
help he gave in the forum.
transactions went to a Localbitcoins.com account registered to Gal Vallerius.
Instagram accounts and analysed his writing style comparing it with more than 1,000 comments left by OxyMonster on Dream Market.
marks, French posts were a common pattern.
Investigation: chain analysis > social media OSINT > writing analysis > device search at the border Mistakes: no tumblers > no compartmentation > no avoiding US > no encryption
Stick to yourselves. If you are in a crew - keep your opsec up 24/7. Friends will try to take you down if they have to. (Sabu aka Hector Xavier Monsegur) Jeremy Hammond identified via a triangulation
nicknames (Anarchaos, yohoho, POW)
peer recognition, the exchange of tools weaken opsec
cybercriminal groups; much more than State-sponsored groups)
State-sponsored hackers (Russian GRU) allegedly responsible for the DNC leaks:
APT28)
So Source: Motherboard
(linuxkrnl.net) Guccifer’s VPN funds from same DCLeaks bitcoin address Bitly link > Bitly account (not private) > many Bitly URLs (phishing campaign targeting the Democrats)
Kim Hyon Woo persona accounts (Lazarus attacks): tty198410@gmail.com hyon_u@hotmail.com hyonwoo01@gmail.com hyonwu@gmail.com @hyon_u Chosun Expo accounts (Park Jin Hyok): ttykim1018@gmail.com surigaemind@hotmail.it pkj0615710@hotmail.com mrkimjin123@gmail.com tty198410@gmail.com ttykim1018@gmail.com surigaemind@hotmail.it hyonwu@gmail.com pkj0615710@hotmail.com mrkimjin123@gmail.com tty198410@gmail.com
identity (WHO)
criminal conduct (WHAT) “Successful cyber criminals are those who avoid both detection of their crimes and identification”
OPSEC and TRADECRAFT then you lose - (Krypt3ia) However, crypto helps.
Contact between personas (covers) contaminates both (the grugq)
However, people love logging.
are going to mess up.
attacking many targets maintaining a good
might well be the toughest to identify (especially if she/he doesn’t move much money).
well-being, autonomy, patience.
Carola Frediani Twitter: @carolafrediani Newsletter: https://guerredirete.substack.com/